Defender for Office 365 (MDO)

Overview

What is MDO?

Microsoft Defender for Office 365 (MDO) safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools including Microsoft Teams, SharePoint Online, OneDrive for Business, and other Office clients. It provides Plan 1 (protection) and Plan 2 (investigation, hunting, and remediation) capabilities.

Capabilities

Core Capabilities

Safe Attachments

Detonation-based scanning of email attachments in a sandbox environment. Detects zero-day malware and previously unknown threats before delivery.

Safe Links

Time-of-click URL verification that scans and rewrites URLs in emails and Office documents. Blocks malicious links even after message delivery.

Anti-Phishing Protection

AI-based impersonation detection protects against BEC, domain spoofing, and user impersonation with configurable policies and safety tips.

Attack Simulation Training

Run realistic phishing simulations to test and train your users. Track click rates, credential compromise, and measure improvement over time.

Threat Explorer & Real-time Detections

Investigate email threats with filtering, timeline views, and export capabilities. Hunt for phishing campaigns, malware families, and delivery actions.

Automated Investigation & Response

Automatically investigate alerts triggered by user submissions, ZAP actions, and policy violations. Take remediation actions with approval workflows.

Hands-on Labs

Defender for Office 365 Labs

Email and collaboration security labs. configure protection policies, simulate phishing attacks, and investigate business email compromise from end to end.

01

Beginner⏱ 60 min · 8 steps

Configure Safe Attachments & Safe Links

Create Safe Attachments policies with dynamic delivery mode, configure Safe Links URL scanning and rewriting policies, enable protection for internal senders, and validate effectiveness by testing with simulated malicious content in a pilot group.

02

Intermediate⏱ 90 min · 12 steps

Run a Phishing Simulation with Attack Simulator

Design a credential-harvesting phishing campaign using Attack Simulator, target specific user groups and departments, analyze click rates and credential submission metrics, assign security awareness training to susceptible users, and track completion rates.

03

Intermediate⏱ 100 min · 14 steps

Configure Anti-Phishing & Zero-Hour Auto Purge

Set up advanced anti-phishing policies with impersonation protection for executives, configure ZAP for email and Teams messages, create layered anti-spam and anti-malware policies, and validate email authentication with SPF, DKIM, and DMARC records.

04

Advanced⏱ 150 min · 18 steps

Investigate a Business Email Compromise (BEC)

Investigate a simulated BEC attack end-to-end: analyze email headers and authentication results, trace mail flow with message trace, identify compromised mailbox rules, review Threat Explorer data, apply soft-delete and hard-delete remediation actions, and create post-incident detection rules.

Scripts

MDO Scripts

Ready-to-run PowerShell scripts for lab simulations. View all scripts →

Script	Description	Level	Parameters
Invoke-MDOPhishingSimulation.ps1	Attack simulation training: verify Safe Links/Attachments, configure phishing campaigns	Intermediate	`-TargetMailboxes, -SimulationType`
Invoke-MDOMailFlowRules.ps1	Mail flow protection: external tagging, executable blocking, phishing quarantine rules	Intermediate	`-Action [Create\|Review\|Cleanup]`

Learn

MDO Resources

📘

MDO Documentation

Complete Defender for Office 365 documentation

🎓

MDO Training

Remediate threats in Office 365 training module

💡

Recommended Settings

Best practice configuration settings for MDO

🎯

Attack Simulation

Set up phishing simulation campaigns

FAQ

Defender for Office 365 FAQ

What is the difference between MDO Plan 1 and Plan 2?

MDO comes in two plans with significantly different capabilities:

Plan 1 (included in M365 E3 with EOP): Safe Attachments (sandboxing unknown attachments), Safe Links (URL scanning and time-of-click rewriting), anti-phishing policies with impersonation protection, and real-time detections
Plan 2 (included in M365 E5 / E5 Security): Everything in Plan 1 plus Threat Explorer (full email investigation tool), Automated Investigation and Response (AIR), Attack Simulation Training (phishing simulations with training assignments), Campaign Views (tracking coordinated attack campaigns), and Threat Trackers

For SOC teams that need to investigate email threats and run user training, Plan 2 is essential. Plan 1 provides strong prevention but limited investigation capability.

MDO plans comparison

What is Zero-Hour Auto Purge (ZAP) and how does it work?

ZAP is a retroactive protection mechanism that removes malicious emails from mailboxes after they have already been delivered:

How it works: When new threat intelligence identifies a previously delivered email as malicious (new malware signature, newly identified phishing URL, updated sender reputation), ZAP automatically moves or deletes the message from all mailboxes that received it
Phishing ZAP: Moves confirmed phishing messages to Junk or Quarantine, even if the user has read the message
Malware ZAP: Quarantines messages with malware attachments regardless of read status
Spam ZAP: Moves messages reclassified as spam to the Junk folder
Timing: ZAP typically executes within 48 hours of delivery, but most actions occur within minutes of new intelligence
Scope: ZAP works across all Exchange Online mailboxes, including shared mailboxes and Microsoft 365 Groups

ZAP is enabled by default and requires no configuration. You can monitor ZAP actions in Threat Explorer and the email entity page.

ZAP documentation

How does impersonation protection work?

Anti-phishing impersonation protection detects emails that attempt to impersonate trusted individuals or organisations:

User impersonation: Protects specific high-value users (CEO, CFO, HR director). Detects when an external sender uses a display name or email address similar to the protected user (e.g., "john.smith@contoso.com" vs "john.srnith@contoso.com")
Domain impersonation: Detects emails from domains that visually resemble your organisation's domain or partner domains (e.g., "contoso.com" vs "c0ntoso.com")
Mailbox intelligence: Uses ML trained on each user's communication patterns to detect unusual senders claiming to be known contacts
Actions: Quarantine the message, move to Junk, add a safety tip banner, redirect to specific mailbox, or deliver with a warning banner

Configure up to 350 protected users and 50 protected domains per anti-phishing policy. Combine with SPF, DKIM, and DMARC email authentication for layered protection.

Anti-phishing policies

How do I set up phishing simulation campaigns?

Attack Simulation Training (Plan 2) lets you run realistic phishing simulations to measure and improve user resilience:

Choose a technique: Credential harvesting, link in attachment, drive-by URL, attachment malware, or OAuth consent grant
Select a payload: Use Microsoft's pre-built payloads modeled on real-world attacks, or create custom payloads with your own branding and landing pages
Target users: Target specific departments, groups, or the entire organisation. Exclude recent new hires or VIPs if needed.
Schedule: Launch immediately or schedule for a future date. Campaigns can run for 1-30 days.
Assign training: Users who click the phishing link are automatically assigned security awareness training modules (Microsoft or third-party content)
Report: Track click rates, credential submission rates, training completion rates, and improvement over time across campaigns

Best practice: Run monthly simulations with varying techniques, track the repeat clicker rate, and brief leadership on quarterly trends. Industry benchmark for click rates is 10–15% for untrained users, dropping to 2–5% after 6 months of regular simulation.

Attack simulation training

Does MDO protect Teams, SharePoint, and OneDrive?

Yes. MDO extends email protection to Microsoft collaboration workloads:

Safe Attachments for SharePoint, OneDrive, and Teams: Scans files uploaded to these services using the same sandboxing engine as email attachments. Malicious files are quarantined and blocked from download. Users see a warning in the file library.
Safe Links for Teams: URLs shared in Teams conversations, channels, and group chats are scanned in real time. Malicious links are blocked with a warning page.
Safe Links for Office apps: URLs in Office documents (Word, Excel, PowerPoint) opened from SharePoint/OneDrive are protected with time-of-click verification.

These protections require Safe Attachments and Safe Links policies to be enabled and are included in both MDO Plan 1 and Plan 2.

Safe Attachments for SPO/Teams

How do I investigate email threats with Threat Explorer?

Threat Explorer (Plan 2) is the primary email investigation tool for SOC analysts. It provides a real-time view of all email flowing through your organisation with powerful filtering and investigation capabilities:

Views: All email, Malware, Phish, Content Malware, and URL clicks. each with dedicated filters and columns
Deep investigation: Click any email to see full headers, delivery details, detection reasons, URL detonation results, and attachment analysis results
Remediation actions: Select multiple emails and take bulk actions: soft delete, hard delete, move to junk, or move to inbox (for false positives)
Campaign detection: Campaign views group related phishing emails by attack pattern, showing the full scope of a coordinated campaign across your organisation
URL clicks: Track which users clicked specific URLs after delivery, enabling targeted remediation and training

Threat Explorer data is retained for 30 days. For longer-term analysis, use Advanced Hunting in the Defender XDR portal where EmailEvents data is available for threat hunting queries.

Threat Explorer

What is the recommended email authentication setup?

Email authentication (SPF, DKIM, DMARC) is foundational for email security and works in concert with MDO protections:

SPF (Sender Policy Framework): DNS TXT record listing authorised email senders for your domain. Prevents sender IP spoofing.
DKIM (DomainKeys Identified Mail): Cryptographic signature on outbound emails proving the message came from your domain without modification. Microsoft 365 supports DKIM signing with custom domains.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): Policy that tells receiving servers what to do when SPF/DKIM fail: none (monitor), quarantine, or reject. Start with p=none, analyse reports for 4–8 weeks, then move to p=quarantine and finally p=reject.

All three should be configured for every domain your organisation sends email from. MDO honours DMARC policies from senders and uses them as a signal in its anti-spoofing detection.

Email authentication

← Back to Defender XDR